66
EMAIL SPOOFING, PHISHING & SPAMMING 1
EMAIL SPOOFING, PHISHING & SPAMMING
1
Table of Contents 2
Spoofing
Types Of Spoofing
Phishing
History of Phishing
Spamming
Anti-Spamming
Spoofing
It is a situation in which one person or program successfully masquerades as another by falsifying information/data and thereby gaining an illegitimate advantage.
Masquerade
Takes place when entity pretends to be different entity.
An attacker alters his identity so that some one thinks he is some one else Email, User ID, IP Address, … Attacker exploits trust relation between
user and networked machines to gain access to machines
Exploit:- A software tool designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware.
Spoofing Definition
5
Spoofing is the act of disguising a communication from an unknown source as being from a known and trusted source.
Spoofing can apply to emails, phone calls, and websites, or can be more technical, such as a computer spoofing an IP address, Address Resolution Protocol (ARP), or Domain Name System (DNS) server.
Spoofing
Spoofing 6
Spoofing can be used to gain access to a target’s personal information, spread malware through infected links or attachments, bypass network access controls, or redistribute traffic to conduct a denial-of-service attack.
Spoofing is often the way a bad actor gains access in order to execute a larger cyber attack such as an advanced persistent threat or a man-in-the-middle attack.
Spoofing 7
Successful attacks on organizations can lead to infected computer systems and networks, data breaches, and/or loss of revenue—all liable to affect the organization’s public reputation.
In addition, spoofing that leads to the rerouting of internet traffic can overwhelm networks or lead customers/clients to malicious sites aimed at stealing information or distributing malware.
Types of Spoofing
1)IP Spoof
2)Web Spoof
3)E-mail Spoof
4)ARP Spoofing
5)DNS Server Spoofing
6)Non Technical Spoof
1) IP Spoofing
The creation of IP packets with a forged (fake) source.
The purpose of it is to conceal the identity of the sender or impersonating another computing system.
Definition:
Attacker uses IP address of another computer to acquire information or gain access
IP Spoofing – Flying-Blind Attack
Replies sent back to 10.10.20.30
Spoofed Address
10.10.20.30
Attacker
10.10.50.50
John
10.10.5.5
From Address: 10.10.20.30
To Address: 10.10.5.5 • Attacker changes his own IP address
to spoofed address
• Attacker can send messages to a machine masquerading as spoofed machine
• Attacker can not receive messages from that machine
Definition:
Attacker spoofs the address of another machine and inserts itself between the attacked machine and the spoofed machine to intercept replies
IP Spoofing – Source Routing
Replies sent back
to 10.10.20.30
Spoofed Address
10.10.20.30
Attacker
10.10.50.50
John
10.10.5.5
From Address: 10.10.20.30
To Address: 10.10.5.5
• The path a packet may change can vary over time
• To ensure that he stays in the loop the attacker uses source routing to ensure that the packet passes through certain nodes on the network
Attacker intercepts packets
as they go to 10.10.20.30
Uses of IP Spoofing
Denial-of-service attack
The goal is to flood the victim with overwhelming amounts of traffic.
This prevents an internet site or service from functioning efficiently or at all, temporarily or indefinitely.
Uses of IP Spoofing
To defeat networks security Such as authentication based on IP addresses. This type of attack is most effective where trust
relationships exist between machines. For example, some corporate networks have
internal systems trust each other, a user can login without a username or password as long he is connecting from another machine on the internal network.
By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without authenticating.
Defense against IP spoofing
Packet filtering- one defense against IP spoofing
Ingress filtering- blocking of packets from outside the network with a source address inside the network
Egress filtering –blocking outgoing packets from inside the network source address.
Defense against IP spoofing
Upper Layers Some upper layer protocols provide their
own defense against IP spoofing.
For example, TCP uses sequence numbers negotiated with the remote machine to ensure that the arriving packets are part of an established connection. Since the attacker normally cant see any reply packets, he has to guess the sequence number in order to hijack the connection.
2) Web Spoofing
It’s a security attack that allows an adversary to observe and modify all web pages sent to the victim’s machine and observe all information entered into forms by the victim.
Dangers of Web Spoofing
After your browser has been fooled, the spoofed web server can send you fake web pages or prompt you to provide personal information such as login Id, password, or even credit card or bank account numbers.
2) Web Spoofing
The attack is initiated when a victim visits a malicious web page, or receives a malicious email message.
The attack is implemented using JavaScript and Web serves plug-ins.
Basic
Attacker registers a web address matching an entity e.g., Man-in-the-Middle Attack
Attacker acts as a proxy between the web server and the client Attacker has to compromise the router or a node through which
the relevant traffic flows URL Rewriting
Attacker redirects web traffic to another site that is controlled by the attacker
Attacker writes his own web site address before the legitimate link
Tracking State When a user logs on to a site a persistent authentication is
maintained This authentication can be stolen for masquerading as the user
2) Web Spoofing
www.googel.com
Web Site maintains authentication so that the user does not have to authenticate repeatedly
Three types of tracking methods are used:
1.Cookies: Line of text with ID on the users cookie file –Attacker can read the ID from users cookie file
2.URL Session Tracking: An id is appended to all the links in the website web pages. – Attacker can guess or read this id and masquerade as user
3.Hidden Form Elements – ID is hidden in form elements which are not visible to user
– Hacker can modify these to masquerade as another user
Web Spoofing – Tracking State
Definition: Process of taking over an existing active session
Modus Operandi: 1.User makes a connection to the server by
authenticating using his user ID and password. 2.After the users authenticate, they have access
to the server as long as the session lasts. 3.Hacker takes the user offline by denial of
service 4.Hacker gains access to the user by
impersonating the user
Session Hijacking
Attacker can
monitor the session
periodically inject commands into session
launch passive and active attacks from the session
Bob telnets to Server
Bob authenticates to Server
Bob
Attacker
Server
Die! Hi! I am Bob
Session Hijacking
Attackers exploit sequence numbers to hijack sessions
Sequence numbers are 32-bit counters used to: tell receiving machines the correct order of
packets Tell sender which packets are received and
which are lost
Receiver and Sender have their own sequence numbers
Session Hijacking – How Does it Work?
When two parties communicate the following are needed: IP addresses Port Numbers Sequence Number
IP addresses and port numbers are easily available so once the attacker gets the server to accept his guesses sequence number he can hijack the session.
Session Hijacking – How Does it Work?
How to prevent it
Don’t click links in emails instead always copy and paste, or even better manually type the URL in.
When entering personal or sensitive information, verify the URL is as you expect, and the site’s SSL certificate matches that URL.
Understand why you’re providing the information-does it make sense? Does the site need to know your SSN?
3) Email Spoof
E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source.
e-mail spoofing: fraudulent e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source
Definition: Attacker sends messages masquerading as some one
else What can be the repercussions?
Types of Email Spoofing: 1. Create an account with similar email address
– [email protected]: A message from this account can perplex the students
2. Modify a mail client – Attacker can put in any return address he wants to in the
mail he sends
3. Telnet to port 25 – Most mail servers use port 25 for SMTP. Attacker logs on
to this port and composes a message for the user.
Email Spoofing
Why Do We Get Fake Emails?
97% of people cannot identify a sophisticated fake email
People are the weakest security link in most business processes
We can secure our networks, computers, systems, and internet access to make it more difficult to compromise information
People making decisions on emails that request action is a manual process that cannot always be controlled
It’s easier for hackers to use people to gather information and build schemes to get what they want
28
Email Spoof Protection
Double check the email you are replying to, make sure that the letters are what they truly seem. For example, l(lower case L) is not the same as I(upper case i).
Look at the IP information of the email header. If an email originated from inside your network, the sender should have very similar IP address.
How to Recognize Fake Emails
Legitimate companies do not send email requesting sensitive information
Don’t trust the name in the from field of an email
If it looks suspicious do not open the email
Hover over links to see what address the link takes you
Open a new browser window and type the website address directly into the browser rather than clicking on the link
Most companies us secure web addresses identified by using https:// in the address bar instead of just http://
30
How to Recognize Fake Emails
Obvious grammar or spelling errors
Strange message structures
Generic greeting
Urgent language
Generic closing
When in doubt, click the “Reply All” button
This may reveal the true e-mail address
Don’t click on email attachments
Review the email signature
Lack of details on contacting the company
31
Alarmist Email Social Engineering
Do this or else
Criminals try to create a sense of urgency so you’ll respond without thinking
32
Grammar/Spelling Issues
Often times phishing messages have typos,
grammatical errors, or extra characters
33
Mozilla Firefox
Examine Hyperlinks
Hover over links
Type into a browser to avoid subtle changes
34
4) ARP Spoofing 35
Address Resolution Protocol (ARP) is a protocol that resolves IP addresses to Media Access Control (MAC) addresses for transmitting data.
ARP spoofing is used to link an attacker’s MAC to a legitimate network IP address so the attacker can receive data meant for the owner associated with that IP address.
ARP spoofing is commonly used to steal or modify data but can also be used in denial-of-service and man-in-the-middle attacks or in session hijacking.
5) DNS Server Spoofing 36
DNS (Domain Name System) servers resolve URLs and email addresses to corresponding IP addresses.
DNS spoofing allows attackers to divert traffic to a different IP address, leading victims to sites that spread malware.
6) Non-Technical Spoofing
These non-computer based techniques are commonly referred to as social engineering. With social engineering, an attacker tries to convince someone that he is someone else.
This can be as simple as the attacker calling someone on the phone saying that he is a certain person.
Example of Non-Technical Spoofing
An attacker calls the help desk to request a new account to be set up. The attacker pretends to be a new employee.
A “technician” walks into a building saying that he has been called to fix a broken computer. What business does not have a broken computer?
Why does Non-Technical Spoof Works
The main reason is that it exploits attributes of human behavior: trust is good and people love to talk.
Most people assume that if someone is nice and pleasant, he must be honest.
If an attacker can sound sincere and listen, you would be amazed at what people will tell him.
Non-Technical Spoof Protection
Educate your users
The help desk
Receptionist
Administrators
Have proper policies:
Password policy
Security policy
41
What is Phishing?
What is Phishing?
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details…by disguising as a trustworthy entity in an electronic communication.
Phishing is typically carried out by email spoofing and it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate one.
Phishing 43
These are targeted and simple forms of phishing emails designed to get victims to purchase gift cards, or to give up personal email or phone numbers.
The "email compromise" gets its name because the attacker mimics the email of a known sender.
44
Phishing
phishing: scam by which an e-mail user is duped into revealing sensitive information such as passwords and credit card details
Link might go to another
website (links are easy to
spoof); hover mouse over links
to see where they lead
45
Phishing in 1995
Target: AOL users
Purpose: getting account passwords for free time
Threat level: low
Techniques: Similar names ( www.ao1.com for www.aol.com ), social
engineering
History of Phishing
Phreaking + Fishing = Phishing
- Phreaking = making phone calls for free back in 70’s
- Fishing = Use bait to lure the target
46
Phishing in 2001
o Target: Ebayers and major banks
o Purpose: getting credit card numbers, accounts
o Threat level: medium
o Techniques: Same in 1995, keylogger
Phishing in 2007
o Target: Paypal, banks, ebay
o Purpose: bank accounts
o Threat level: high
o Techniques: browser vulnerabilities, link obfuscation
History of Phishing
Phreaking + Fishing = Phishing
- Phreaking = making phone calls for free back in 70’s
- Fishing = Use bait to lure the target
Phishing in 1995
Target: AOL users
Purpose: getting account passwords for free time
Threat level: low
Techniques: Similar names ( www.ao1.com for www.aol.com ), social
engineering
Phishing in 2001
Target: Ebayers and major banks
Purpose: getting credit card numbers, accounts
Threat level: medium
Techniques: Same in 1995, keylogger
Phishing in 2007
Target: Paypal, banks, ebay
Purpose: bank accounts
Threat level: high
Techniques: browser vulnerabilities, link obfuscation
History of Phishing
48
• 2,000,000 emails are sent
• 5% get to the end user – 100,000 (APWG)
• 5% click on the phishing link – 5,000 (APWG)
• 2% enter data into the phishing site –100 (Gartner)
• $1,200 from each person who enters data (FTC)
• Potential reward: $120,000
A bad day phishing’, beats a good day working’
In 2005 David Levi made over $360,000 from 160
people using an eBay Phishing scam
49
• Over 28,000 unique phishing attacks reported in Dec. 2006, about double the number from 2005
• Estimates suggest phishing affected 2 million US citizens and cost businesses billions of dollars in 2005
• Additional losses due to consumer fears
Phishing: A Growing Problem
50
What Does a Phishing Scam Look Like?
• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.
• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
51
PREVENTIONS
Never respond to requests for personal information like passwords via e-mail (or phone!). Legitimate businesses do not request such
information this way.
Visit web sites of companies with which you have business by manually typing the company URL. Do not click on links in unexpected e-mails because
they can be spoofed. Along the same lines, do not call phone numbers
found in those e-mails.
52
What Can Be Done About Phishing?
Be leery of URLs that do not have the company name directly before the top-level domain. For example, bankofamerica.com is the correct URL,
bankofamerica.pp.com is questionable.
Routinely review your credit card and bank
statements for unusual activity. http://annualcreditreport.com
"Recognizing Phishing Scams and Fraudulent / Hoax
Email" http://www.microsoft.com/protect/yourself/phishing/ident
ify.mspx
53
How Often Should You Change Your Passwords?
https://uwnetid.washington.edu/manage/
Can't an attacker (perhaps using a computer program) keep guessing passwords?
Computer systems usually impose a time-out of several seconds after a number (e.g. three) failed attempts.
"Top 10 Most Common Passwords"
http://modernl.com/article/top-10-most-common-passwords
Phishing
Phishing: a trick to get you to enter personal information such as Credit card information
Banking info
Social security number
Passwords
Email or physical address
Example: You receive an email from a Nigerian prince who needs you to help get $50
million out of Nigeria. He must leave in secret and transfer the money to your account. He promises you $5 million after he gets to safety.
There probably never was a Nigerian prince, and whomever sent the email will take all your money.
Spam
Spam is unsolicited commercial emails—unwanted ads in your inbox
May be to phish for information or transmit a virus
Sample subjects:
RE: Pharmacy sale 80% off!
Ama-zingly fresh sk!n with n0 wrinkles
We renamed your account
From an old friend
Don’t Miss Out!
Don’t even open these emails
Anti-spam
Delete without opening! If you open it, don’t click and don’t reply
Gmail has good spam filters that catch most spam
Don’t buy anything from companies that email you randomly! Especially not medicine!
Definition:
Attack through which a person can render a system unusable or
significantly slow down the system for legitimate users by
overloading the system so that no one else can use it.
Types:
1. Crashing the system or network
– Send the victim data or packets which will cause system to crash or
reboot.
2. Exhausting the resources by flooding the system or network with
information
– Since all resources are exhausted others are denied access to the
resources
3. Distributed DOS attacks are coordinated denial of service attacks
involving several people and/or machines to launch attacks
Denial of Service (DOS) Attack
Types:
1. Ping of Death
2. SSPing
3. Land
4. Smurf
5. SYN Flood
6. CPU Hog
7. Win Nuke
8. RPC Locator
9. Jolt2
10. Bubonic
11. Microsoft Incomplete TCP/IP Packet Vulnerability
12. HP Openview Node Manager SNMP DOS Vulneability
13. Netscreen Firewall DOS Vulnerability
14. Checkpoint Firewall DOS Vulnerability
Denial of Service (DOS) Attack
This attack takes advantage of the way in which information is stored by computer programs
An attacker tries to store more information on the stack than the size of the buffer
How does it work?
Buffer Overflow Attacks
•
Buffer 2
Local Variable 2
Buffer 1
Local Variable 1
Return Pointer
Function Call
Arguments
•
Fill
Direction
Bottom of
Memory
Top of
Memory
Normal Stack
•
Buffer 2
Local Variable 2
Machine Code:
execve(/bin/sh)
New Pointer to
Exec Code
Function Call
Arguments
•
Fill
Direction Bottom of
Memory
Top of
Memory
Smashed Stack
Return Pointer Overwritten
Buffer 1 Space Overwritten
Programs which do not do not have a rigorous memory check in the code are vulnerable to this attack
Simple weaknesses can be exploited
If memory allocated for name is 50 characters, someone can break the system by sending a fictitious name of more than 50 characters
Can be used for espionage, denial of service or compromising the integrity of the data
Examples
NetMeeting Buffer Overflow
Outlook Buffer Overflow
AOL Instant Messenger Buffer Overflow
SQL Server 2000 Extended Stored Procedure Buffer Overflow
Buffer Overflow Attacks
A hacker can exploit a weak passwords & uncontrolled network modems easily
Steps Hacker gets the phone number of a company Hacker runs war dialer program
If original number is 555-5532 he runs all numbers in the 555-55xx range
When modem answers he records the phone number of modem
Hacker now needs a user id and password to enter company network Companies often have default accounts e.g. temp, anonymous with
no password Often the root account uses company name as the password For strong passwords password cracking techniques exist
Password Attacks
Password hashed and stored Salt added to randomize password & stored on system
Password attacks launched to crack encrypted password
Password Security
Hash
Function
Hashed
Password
Salt
Compare
Password
Client
Password
Server
Stored Password
Hashed
Password
Allow/Deny Access
Find a valid user ID
Create a list of possible passwords
Rank the passwords from high probability to low
Type in each password
If the system allows you in – success !
If not, try again, being careful not to exceed password lockout (the number of times you can guess a wrong password before the system shuts down and won’t let you try any more)
Password Attacks - Process
Dictionary Attack Hacker tries all words in dictionary to crack
password
70% of the people use dictionary words as passwords
Brute Force Attack Try all permutations of the letters &
symbols in the alphabet
Hybrid Attack Words from dictionary and their variations
used in attack
Password Attacks - Types
Social Engineering People write passwords in different places
People disclose passwords naively to others
Shoulder Surfing Hackers slyly watch over peoples shoulders
to steal passwords
Dumpster Diving People dump their trash papers in garbage
which may contain information to crack passwords
Password Attacks - Types
66
Thank You . . . . . !
